Your message dated Sun, 14 Dec 2014 13:34:11 +0000
with message-id <[email protected]>
and subject line Bug#771366: fixed in libyaml 0.1.3-1+deb6u5
has caused the Debian Bug report #771366,
regarding libyaml: CVE-2014-9130: Wrapped strings cause assert failure
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
771366: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771366
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: libyaml
Version: 0.1.4-2
Severity: important
Tags: security upstream patch
Hi,
An assert is triggered by wrapped strings, see [1,2,3]. Proposed commit
in [4] comments out the assertion and let the parser fail.
CVE-2014-9130 was assigned for this reachable assertion in scanner.c.
[1]
https://bitbucket.org/xi/libyaml/issue/10/wrapped-strings-cause-assert-failure
[2] http://www.openwall.com/lists/oss-security/2014/11/28/1
[3] https://security-tracker.debian.org/CVE-2014-9130
[4]
https://github.com/yaml/libyaml/commit/e6aa721cc0e5a48f408c52355559fd36780ba32a
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: libyaml
Source-Version: 0.1.3-1+deb6u5
We believe that the bug you reported is fixed in the latest version of
libyaml, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thorsten Alteholz <[email protected]> (supplier of updated libyaml package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 14 Dec 2014 13:35:17 +0100
Source: libyaml
Binary: libyaml-0-2 libyaml-dev
Architecture: source i386
Version: 0.1.3-1+deb6u5
Distribution: squeeze-lts
Urgency: high
Maintainer: Anders Kaseorg <[email protected]>
Changed-By: Thorsten Alteholz <[email protected]>
Description:
libyaml-0-2 - Fast YAML 1.1 parser and emitter library
libyaml-dev - Fast YAML 1.1 parser and emitter library (development)
Closes: 771366
Changes:
libyaml (0.1.3-1+deb6u5) squeeze-lts; urgency=high
.
* Non-maintainer upload by the Squeeze LTS Team.
* Add CVE-2014-9130.patch.
CVE-2014-9130: assert failure when processing wrapped strings.
(Closes: #771366)
Checksums-Sha1:
69aee70841afb869398b258893425b2d542a64a4 1915 libyaml_0.1.3-1+deb6u5.dsc
5fa17579f6436f1d8739ad38399dff3e739bbf56 466845 libyaml_0.1.3.orig.tar.gz
0ba735669df9e1bc4dd90608dca2dceaf4fc06ca 3732 libyaml_0.1.3-1+deb6u5.diff.gz
7e504829152e436f7b68ca91f85102a6abb054be 54258
libyaml-0-2_0.1.3-1+deb6u5_i386.deb
2c681b6a0dcbd466ee799561d033bada6b2bbd9b 64896
libyaml-dev_0.1.3-1+deb6u5_i386.deb
Checksums-Sha256:
ab959e88c60a62dc8ab66091e00b4b86d69ddb6d601b7519b6ba2c55279fd74a 1915
libyaml_0.1.3-1+deb6u5.dsc
a8bbad7e5250b3735126b7e3bd9f6fce9db19d6be7cc13abad17a24b59ec144a 466845
libyaml_0.1.3.orig.tar.gz
aede84e38b18361d3d74a0d9efabbef8b63efd794aae7481c0b6a5283cb565ae 3732
libyaml_0.1.3-1+deb6u5.diff.gz
a6e8beedfca6650389d932ccf0e71c9562a834854f732e128cf57761b91c70be 54258
libyaml-0-2_0.1.3-1+deb6u5_i386.deb
2d2bf01d1f0ca9f99356ea0005160f56d004d190eed644242ef77d31e50cc7e2 64896
libyaml-dev_0.1.3-1+deb6u5_i386.deb
Files:
7dec4333958808dbfb826d0f8b7d45da 1915 libs optional libyaml_0.1.3-1+deb6u5.dsc
b8ab9064e8e0330423fe640de76608cd 466845 libs optional libyaml_0.1.3.orig.tar.gz
9a53517d66b0e43ccbe31a316475bceb 3732 libs optional
libyaml_0.1.3-1+deb6u5.diff.gz
44f58ea012d33a82f3717c03a03e76b6 54258 libs optional
libyaml-0-2_0.1.3-1+deb6u5_i386.deb
b5b5ce8ef49e9e289625481ad320614f 64896 libdevel optional
libyaml-dev_0.1.3-1+deb6u5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJUjZBwXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHEFoP/ReVp8TR0O1RxroCg+xBwrgw
25RmRn7d2WgwsokN85f5UAfdnBA+58RtYnkETdd5JN61Mnz7jDVFMwoY+KjEuddl
J2iJe/H5W75C2LlyQesbrR7/CfxR8EygUBjP4N4KRIxFmiJuWVUwDJyQ3o+VNJgc
7RuzrhDMd4acAnVz8DzC3g7dDhMuuyhMDbXC62boehVifn2RHcz5OURCOEBNKXPE
g7TAqGBBO11eSQTyMIlK/IdvUFrQ9/N44wUh4KW3iHsZ5hBUKzEMZsN3ecRQrkJ7
srJIikhb1tnrl1annDrLsMiNvg1R/ADuLh+ApSpNLhlrYfkHmumLvQAU7atrQwr4
lHEXQy85/KiNvR2v8iPOnSfLZ5L6LMmbUmCIfnav8HoCdHISWTDGzADaU8utnmB0
F+tnv18nt2GBYpa3HxqQKh8yL73HiA/Yh6rFq1B6WQsmryY4Rrt68ud6uXabXU4m
RTVUk9SOSwdlsqWt4i4sA8z1B/nJCRKqmJ5LncjVKOgMnfGSbMO8XE2WlVBIuGaz
fd3ajscbSAQ0ff49aRnYzurVh1Vwp3/XlLs6/FOEnegq/td/8TylXn0C6BY8cRmG
gjyLpUmjTTzNJWBBi7PvLzWy0pbGhBgRUJkB7hki/n7lfBCsnivclyghs7rQzC5K
+y1OCT5R+zF62kfOrvYz
=ox5h
-----END PGP SIGNATURE-----
--- End Message ---
